From 8a36e721407dd8eb3b1df71fbbbc7a6e3c804e48 Mon Sep 17 00:00:00 2001
From: Gregor Beck <gbeck@sernet.de>
Date: Tue, 5 Jul 2011 11:55:34 +0200
Subject: s3: avoid reading past the end of buffer in tdb_unpack 'f' if zero
 termination is missing

Signed-off-by: Michael Adam <obnox@samba.org>
---
 source3/lib/util_tdb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
index 65e46119b4..fb586f45d2 100644
--- a/source3/lib/util_tdb.c
+++ b/source3/lib/util_tdb.c
@@ -417,7 +417,7 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...)
 			break;
 		case 'f': /* null-terminated string */
 			s = va_arg(ap,char *);
-			len = strlen((const char *)buf) + 1;
+			len = strnlen((const char *)buf, bufsize) + 1;
 			if (bufsize < len || len > sizeof(fstring))
 				goto no_space;
 			memcpy(s, buf, len);
-- 
cgit